Following the GCP Certificate Manager documentation, one creates a DNS authorization for a domain, and then creates a certificate referencing that request.
If I create an authorization for the domain foo.example.com, I can create a certificate for foo.example.com, a wildcard certificate for *.foo.example.com, or both. But I'm not able to create certificates for a.foo.example.com, b.foo.example.com, etc. (nor a single certificate with those as SANs).
If I don't want to use a wildcard certificate, I'll need to create authorizations for each FQDN. Not a huge issue if I'm using Terraform and Cloud DNS, but if DNS records need to be manually added to authorize each one, that becomes burdensome.
So, am I missing something here?